Skip to content

fix(vm-scanning): Fix conditionals for modular #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 6, 2024
Merged

fix(vm-scanning): Fix conditionals for modular #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1b1836a
fix(vm-scanning): Fix conditionals for modular
ravinadhruve10 Nov 5, 2024
fbbc2e5
Fix attribute name
ravinadhruve10 Nov 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion modules/agentless-scan/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,6 @@ No modules.
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | GCP Project ID | `string` | n/a | yes |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped | `bool` | `false` | no |
| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com | `string` | `null` | no |
| <a name="input_sysdig_account_id"></a> [sysdig\_account\_id](#input\_sysdig\_account\_id) | Sysdig provided GCP Account designated for the host scan.<br/>One of `sysdig_backend` or `sysdig_account_id`must be provided | `string` | `null` | no |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account) | `string` | `null` | no |
| <a name="input_suffix"></a> [suffix](#input\_suffix) | Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated. | `string` | `null` | no |

Expand Down
30 changes: 15 additions & 15 deletions modules/agentless-scan/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,12 @@ resource "google_iam_workload_identity_pool" "agentless" {
}

resource "google_iam_workload_identity_pool_provider" "agentless" {
count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null ? 1 : 0
count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? 1 : 0

lifecycle {
precondition {
condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null && var.sysdig_account_id == null)
error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
error_message = "Cannot provide empty sysdig backend cloud_id"
}
}

Expand All @@ -86,12 +86,12 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
}

resource "google_service_account_iam_member" "controller_custom" {
count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null ? 1 : 0
count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? 1 : 0

lifecycle {
precondition {
condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null && var.sysdig_account_id == null)
error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
error_message = "Cannot provide empty sysdig backend cloud_id"
}
}

Expand All @@ -101,12 +101,12 @@ resource "google_service_account_iam_member" "controller_custom" {
}

resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
count = var.sysdig_account_id != null ? 1 : 0
count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0

lifecycle {
precondition {
condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id == null && var.sysdig_account_id != null)
error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
error_message = "Cannot provide empty sysdig backend cloud_id"
}
}

Expand All @@ -116,7 +116,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
description = "GCP identity pool provider for Sysdig Secure Agentless Host Scanning"
disabled = false

attribute_condition = "google.subject == \"${var.sysdig_account_id}\""
attribute_condition = "google.subject == \"${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}\""

attribute_mapping = {
"google.subject" = "assertion.sub"
Expand All @@ -129,18 +129,18 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
}

resource "google_service_account_iam_member" "controller_custom_gcp" {
count = var.sysdig_account_id != null ? 1 : 0
count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0

lifecycle {
precondition {
condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id == null && var.sysdig_account_id != null)
error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
error_message = "Cannot provide empty sysdig backend cloud_id"
}
}

service_account_id = google_service_account.controller.name
role = "roles/iam.workloadIdentityUser"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${var.sysdig_account_id}"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}"
}

#-----------------------------------------------------------------------------------------
Expand Down Expand Up @@ -200,7 +200,7 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_agentless_scan" {
service_principal_metadata = jsonencode({
gcp = {
workload_identity_federation = {
pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.gcp.worker_identity != null ? google_iam_workload_identity_pool_provider.agentless[0].name : var.sysdig_account_id != null ? google_iam_workload_identity_pool_provider.agentless_gcp[0].name : null
pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? google_iam_workload_identity_pool_provider.agentless[0].name : data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? google_iam_workload_identity_pool_provider.agentless_gcp[0].name : null
}
email = google_service_account.controller.email
}
Expand Down
6 changes: 0 additions & 6 deletions modules/agentless-scan/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,6 @@ variable "organization_domain" {
default = ""
}

variable "sysdig_account_id" {
type = string
description = "Sysdig provided GCP Account designated for the host scan. One of sysdig_backend or sysdig_account_id must be provided"
default = null
}

variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account)"
Expand Down
Loading